CRITICAL Patch Available

Credential Theft via Malicious 'torchtriton' PyPI Typosquatting Package

Discovered 15 February 2025 6 views

Overview

A classic supply chain attack targeting the AI/ML community, a malicious package named `torchtriton` was uploaded to the Python Package Index (PyPI). It typosquatted the legitimate `triton` package, a popular library from OpenAI for writing efficient GPU code, which is often used as a dependency in PyTorch. Developers intending to install `triton` could easily misspell the name and install the malicious version instead. The `setup.py` file of `torchtriton` was engineered to execute a malicious payload upon installation. This payload was heavily obfuscated and performed reconnaissance on the victim's machine. It was designed to collect and exfiltrate sensitive data, including environment variables, Kubernetes configuration files, SSH keys, and system information like `/etc/passwd` and `/etc/shadow`. The stolen data was then transmitted to a command-and-control (C2) server controlled by the attacker. This incident underscored the significant supply chain risk for AI developers, whose environments are often rich with valuable credentials for cloud services, data stores, and model repositories. The attack's success relied on a simple user error, highlighting the need for stringent dependency management and verification in ML development workflows.

Affected Systems

Python developers using PyPICI/CD environments installing Python packages

Testing Guide

1. Review your project's dependency files (`requirements.txt`, `pyproject.toml`, etc.) for the package name `torchtriton`. 2. Run `pip list` in your development environments to check for the presence of the malicious package. 3. Use a dependency scanning tool to automatically check for this and other known malicious packages: `pip install pip-audit && pip-audit`.

Mitigation Steps

1. **Verify Package Names:** Double-check the spelling of all packages before installation, especially those with similar names to popular libraries. 2. **Use Hash-Checking:** Pin dependency versions and use hash-checking in your `requirements.txt` or `pyproject.toml` files (e.g., `pip install -r requirements.txt --require-hashes`). This ensures the package content has not been tampered with. 3. **Audit Dependencies:** Regularly scan project dependencies for known vulnerabilities and malicious packages using tools like `pip-audit` or `Snyk`. 4. **Limit Permissions:** Install packages in isolated virtual environments or containers with minimal permissions to limit the potential blast radius of a malicious script.

Patch Details

The malicious package was removed from the PyPI registry shortly after discovery.

Sources

← Back to vulnerabilities